1
00:00:00,560 --> 00:00:07,610
Welcome back and in this lecture, I want to talk about the subject on brute forcing different login

2
00:00:07,610 --> 00:00:08,110
pages.

3
00:00:09,020 --> 00:00:14,650
So we talked about many different attacks that were based on some type of a vulnerability, either in

4
00:00:14,660 --> 00:00:18,800
a code injection or Sarraf attack or command injection.

5
00:00:19,130 --> 00:00:25,370
All of those were bugs that we covered, but we haven't covered how to brute force a login page.

6
00:00:25,850 --> 00:00:31,100
And for this entire section, we have been logging into this username and password field.

7
00:00:31,430 --> 00:00:38,450
Whenever we want to access the TBWA page, let's say that we don't have the credentials for this page.

8
00:00:39,290 --> 00:00:42,440
We know, of course, that they are admin and password.

9
00:00:42,800 --> 00:00:48,260
But let's also see how we can try to brute force them, how we can try to guess the credentials.

10
00:00:48,740 --> 00:00:53,870
Of course, for this, we are going to need to have a little bit of luck because this will require that

11
00:00:53,870 --> 00:00:56,450
inside of the password list that we are going to use.

12
00:00:56,450 --> 00:00:58,270
We have their password there.

13
00:00:58,390 --> 00:01:04,400
So this will only work if their password is pretty weak, which in our case it is, since the password

14
00:01:04,400 --> 00:01:05,360
is just password.

15
00:01:06,220 --> 00:01:13,020
For this, we're going to use a tool called Hydra, and Hydra is already preinstalled in Callinan's,

16
00:01:13,030 --> 00:01:16,750
so you can just type Hydra inside of your terminal.

17
00:01:17,700 --> 00:01:23,880
And this will give you the help menu of the tool, however, I advise you not to look at this help menu

18
00:01:23,880 --> 00:01:28,020
because it will be in no way helpful for these types of attacks.

19
00:01:28,470 --> 00:01:31,310
As we can see right here, it gets the example of usage.

20
00:01:31,320 --> 00:01:37,410
But once attacking the actual Web pages, this becomes harder and harder to use.

21
00:01:37,560 --> 00:01:39,700
The syntax becomes harder and harder.

22
00:01:39,930 --> 00:01:46,170
So I advise you to actually pay attention once of writing syntax so you can see how exactly am I doing

23
00:01:46,170 --> 00:01:52,530
it, because for every Web page that has a login page with username and password, this syntax will

24
00:01:52,530 --> 00:01:53,170
be different.

25
00:01:53,490 --> 00:01:56,940
So let's start crafting our comment.

26
00:01:57,480 --> 00:02:04,350
We are going to start with Hydra and then after we specify the IP address of our target, which in my

27
00:02:04,350 --> 00:02:09,060
case is one, add to that 168, that one that nine, as we can see right here.

28
00:02:10,050 --> 00:02:15,660
Then you got a few options that you need to specify right here, which are based on how are you sending

29
00:02:15,660 --> 00:02:17,730
the username and password to the target?

30
00:02:18,300 --> 00:02:24,880
So in this case, if I type test right here and test this password, I click on login.

31
00:02:25,380 --> 00:02:28,160
This is being sent as a post form.

32
00:02:28,320 --> 00:02:34,550
So we are applying these usernames and passwords to the form and we are sending this to the target with

33
00:02:34,560 --> 00:02:35,750
post request.

34
00:02:36,240 --> 00:02:42,540
You can always check that right here inside of your burset so you can go down here and we can see that

35
00:02:42,540 --> 00:02:47,820
this is a post request where we send the test username and password.

36
00:02:48,480 --> 00:02:51,500
OK, so how we can specify that inside Hydra.

37
00:02:51,510 --> 00:02:56,100
Well, we can specify HTP Dash for Basche post.

38
00:02:57,280 --> 00:03:02,980
After this, you need to open the double quotes and in between the double quotes, the first argument

39
00:03:02,980 --> 00:03:09,610
that you must specify for the page with your brute forcing is the path to that page, which requires

40
00:03:09,610 --> 00:03:10,780
username and password.

41
00:03:10,790 --> 00:03:16,710
And in our case, that path is a legal logging dot b.

42
00:03:17,720 --> 00:03:24,230
So that is the first argument specified in between the quotes and arguments that you specify between

43
00:03:24,230 --> 00:03:26,880
these double quotes are separated with two dots.

44
00:03:27,200 --> 00:03:30,860
So once we type the path, we type two dots for the second argument.

45
00:03:31,040 --> 00:03:33,840
And the second argument is the username.

46
00:03:34,400 --> 00:03:38,330
So for this, we must go to the page that we are brute forcing.

47
00:03:38,330 --> 00:03:45,090
We must right click and go to view page source and we must find a name for the username field inside

48
00:03:45,090 --> 00:03:45,580
of the code.

49
00:03:46,190 --> 00:03:50,810
Usually the user name and password fields will be inside of some type of a form, as we can see right

50
00:03:50,810 --> 00:03:54,170
here for action log in that method post.

51
00:03:54,560 --> 00:04:00,470
And if I go to the label for the username, we can see that the name for the user name field is simply

52
00:04:00,470 --> 00:04:02,120
just username.

53
00:04:02,960 --> 00:04:10,100
OK, so we must copy the name of this field and we must go right here and type it in.

54
00:04:10,220 --> 00:04:11,870
So paste it right after.

55
00:04:12,110 --> 00:04:20,240
And this username field will be equal to upper arrow and capital user and then once again, upper error.

56
00:04:21,110 --> 00:04:23,150
Now you might be wondering what is happening here.

57
00:04:23,180 --> 00:04:30,020
Well, after we specified the name of the field on our page, we equal that to this syntax right here.

58
00:04:30,020 --> 00:04:32,030
And this is just hydrous syntax.

59
00:04:32,240 --> 00:04:38,760
You use this upper error right here and you type user in between that and you close it with upper error.

60
00:04:39,110 --> 00:04:45,980
What this is telling to the program to do is it will change any username that we have in a list between

61
00:04:45,980 --> 00:04:47,280
these two upper arrows.

62
00:04:47,300 --> 00:04:53,000
So essentially any type of user name from the list that we are going to use will be stored right here.

63
00:04:54,020 --> 00:04:55,910
But this is not the only field that we have.

64
00:04:55,910 --> 00:04:59,200
We also must specify the same thing for the password field.

65
00:04:59,930 --> 00:05:02,980
Now to separate the user name from the password field.

66
00:05:02,990 --> 00:05:05,200
We use this sign right here.

67
00:05:05,250 --> 00:05:11,840
So specify this sign and then after it we can specify the password field name just like we did right

68
00:05:11,840 --> 00:05:12,160
here.

69
00:05:12,290 --> 00:05:14,920
So let's go and find a label for the password.

70
00:05:14,930 --> 00:05:15,680
Here it is.

71
00:05:16,010 --> 00:05:19,550
And the name for the password field is simply just password.

72
00:05:19,940 --> 00:05:24,040
And this is something that can change depending on which page you're a brute forcing.

73
00:05:24,590 --> 00:05:30,980
So let's go right here and type password, which is the name of our field, and this will be equal to

74
00:05:30,980 --> 00:05:35,470
Upper Arrow and then pass and then once again, upper error.

75
00:05:35,690 --> 00:05:38,810
And this is also the same as with the username.

76
00:05:38,820 --> 00:05:45,680
So just any passwords that we use from our list will get stored right here instead of this capital pass.

77
00:05:46,550 --> 00:05:53,000
And the last thing that we must set for this second argument of our command is the pattern that we're

78
00:05:53,000 --> 00:05:53,390
using.

79
00:05:53,390 --> 00:05:58,510
So every time you actually try to log in, you click on this logging.

80
00:05:58,520 --> 00:06:03,200
But and this is something that we also want to simulate inside of our hydro command.

81
00:06:03,890 --> 00:06:06,350
To do that, we go over your speech source.

82
00:06:06,380 --> 00:06:10,640
We find the button, which is usually right after the username and password field.

83
00:06:10,640 --> 00:06:12,140
And in our case, here it is.

84
00:06:12,950 --> 00:06:19,670
We take a look at the type of button and the button name so we can see that the bottom name is in which

85
00:06:19,670 --> 00:06:26,360
we are going to specify and then we are going to equal death to submit so we can do it like this again.

86
00:06:26,360 --> 00:06:29,420
We need to separate it with this sign right here.

87
00:06:29,690 --> 00:06:32,480
And we type the name of the button, which is login.

88
00:06:33,390 --> 00:06:41,940
And then equal to the type of the bottom, which is in our case, submit, so we equal death to submit.

89
00:06:43,890 --> 00:06:49,650
And these three steps right here, which is username, password and button, are enough for us to actually

90
00:06:49,650 --> 00:06:56,400
submit a request for a specific username and password, but we also need to differentiate are valid

91
00:06:56,400 --> 00:07:01,320
username and password from the incorrect username and incorrect password.

92
00:07:01,770 --> 00:07:03,090
So how are we going to do that?

93
00:07:03,540 --> 00:07:10,020
Well, luckily, Hijrah allows us to specify something that will stick out once a password is incorrect.

94
00:07:10,410 --> 00:07:17,160
And if we go to our page and we specify the incorrect username and incorrect password, once you click

95
00:07:17,160 --> 00:07:22,990
on login, you will notice that down here we have this string that says login failed.

96
00:07:23,700 --> 00:07:29,280
Now, just by thinking, we can figure out that this string will not exist if we manage to login with

97
00:07:29,280 --> 00:07:35,880
successful credentials so we can specify this string to our Hydra command to search for it.

98
00:07:35,880 --> 00:07:40,920
And every time it finds it, it will not print out that username and password as valid username and

99
00:07:40,920 --> 00:07:43,020
password because they are incorrect.

100
00:07:43,440 --> 00:07:48,270
So we can specify it with two dots and then paste it right here.

101
00:07:49,150 --> 00:07:53,920
Log-in failed will be the strength that we are searching for, which will indicate that the username

102
00:07:53,920 --> 00:08:00,580
and password is incorrect after we specified this, we can exit out of the double quotes and all we

103
00:08:00,580 --> 00:08:06,160
are left to do is to specify that shell and then the list for the user names, which we are going to

104
00:08:06,160 --> 00:08:13,780
call username and dash IP, which will be the list for the passwords which we are going to call passwords

105
00:08:13,780 --> 00:08:14,140
that the.

106
00:08:15,560 --> 00:08:21,510
Now, for this lists, you can use any type of list that you want in my case, since we don't have them.

107
00:08:21,530 --> 00:08:24,170
I'm just going to create them real quick.

108
00:08:24,170 --> 00:08:29,450
For the purposes of this tutorial, I need to make sure that I'm in the same directory where I'm running

109
00:08:29,450 --> 00:08:36,740
this command and then I'm going to Nannerl usernames that text and I'm going to type right here, root

110
00:08:37,370 --> 00:08:46,550
account admin, then lowercase admin, passwords, username, test, one, two, three, and bunch of

111
00:08:46,550 --> 00:08:48,740
other things we are not going to specify.

112
00:08:48,750 --> 00:08:56,450
We can just leave it to be this small just so we don't waste too much time brute forcing that page and

113
00:08:56,450 --> 00:09:02,840
here we can type test test one, two, three, one, two, three, four, five, six, seven, eight,

114
00:09:02,840 --> 00:09:03,320
nine.

115
00:09:03,320 --> 00:09:09,010
And then we can type admin root password and password one, two, three.

116
00:09:09,680 --> 00:09:15,080
So we do have the correct username and the correct password inside of both of these lists.

117
00:09:15,710 --> 00:09:22,430
Now that we have this, what we can do is we can run our comment ledgers double check it real quick.

118
00:09:22,430 --> 00:09:24,530
So high the IP address of our target.

119
00:09:24,830 --> 00:09:30,230
We're using the HTP for post because if we are sending a post request and we are sending our username

120
00:09:30,230 --> 00:09:31,820
and password inside of a form.

121
00:09:32,820 --> 00:09:38,880
Then we open double quotes and the first argument is going to be the path to the page that the login

122
00:09:38,880 --> 00:09:45,390
form is located in, the second argument is going to be username, password and button that we are submitting

123
00:09:45,390 --> 00:09:46,680
the username and password with.

124
00:09:47,190 --> 00:09:52,890
And the third argument inside of double quotes is going to be a string that we get once we specify the

125
00:09:52,900 --> 00:09:55,930
incorrect username and password after it.

126
00:09:55,950 --> 00:10:02,010
We just specify the URL for the user names list and dash for the passwords list.

127
00:10:02,130 --> 00:10:03,210
If I click, enter.

128
00:10:08,300 --> 00:10:15,320
And here it is, it managed to find the correct username and password, it printed it out right here

129
00:10:15,320 --> 00:10:19,820
and it tells us that the username is admin and that the password is password.

130
00:10:20,710 --> 00:10:27,370
So it finished relatively quick, but it only had around forty nine Log-in tries, as it says right

131
00:10:27,370 --> 00:10:33,010
here, so you can feel free to use a bigger pastoralist's in order to give this even higher chances

132
00:10:33,010 --> 00:10:33,580
to work.

133
00:10:34,090 --> 00:10:40,060
Now that we did this, let's give it a try and let's login with the username and password that we got

134
00:10:40,060 --> 00:10:42,070
and it indeed works.

135
00:10:42,080 --> 00:10:45,120
So our tool successfully brute force the login.

136
00:10:45,670 --> 00:10:51,280
Now, in the next video, we're also going to take a look at how we can brute force this page right

137
00:10:51,280 --> 00:10:55,210
here, which is the brute force login page inside of our TBWA.